Text only | Text with Images

LandzDown Forum

Security => Analysis and Malware Removal => Topic started by: jyb on July 02, 2013, 04:14:22 AM

Title: eggdepo.com, again
Post by: jyb on July 02, 2013, 04:14:22 AM
Hi I googled being able to run Excel from an external hard drive. Some web pages mentioned a marvellous sounding thing called "Portable Office 2007". I went looking for this and ended up clicking on some very dodgy links. A little while later I noticed that ordinary web pages had lots of strange links inviting me to take part in a survey. A little later I was getting lots of pop-ups inviting me to start playing at an online casino. I also noticed that Internet Explorer was behaving very oddly - freezing for long periods, using lots of CPU and memory, running lots of processes and when I tried to kill them they multiplied. So now I am wiser but sadder.

I haven't made any cleanup efforts yet, just followed the process as described in http://www.landzdown.com/analysis-and-malware-removal/log-posting-instructions/.

Thanks in advance to anyone who is willing to help me!

Here is my checkup.txt:

Results of screen317's Security Check version 0.99.68 
Windows 7 Service Pack 1 x86 (UAC is enabled) 
Internet Explorer 10 
``````````````Antivirus/Firewall Check:``````````````[/u]
Windows Firewall Enabled! 
Microsoft Security Essentials   
Antivirus up to date! 
`````````Anti-malware/Other Utilities Check:`````````[/u]
Excel VBA Code Cleaner 5.0
JavaFX 2.1.1   
Java 7 Update 21 
Java version out of Date!
Google Chrome 27.0.1453.110 
Google Chrome 27.0.1453.116 
````````Process Check: objlist.exe by Laurent````````[/u] 
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````[/u]
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````[/u]

and here are the other files:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 23/06/2012 7:43:42 p.m.
System Uptime: 1/07/2013 9:21:15 p.m. (13 hours ago)
.
Motherboard: Dell Inc.           |  | 0NY776
Processor: Intel(R) Pentium(R) Dual  CPU  E2180  @ 2.00GHz | Microprocessor | 1995/800mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 466 GiB total, 403.208 GiB free.
D: is CDROM ()
E: is CDROM ()
G: is FIXED (NTFS) - 1863 GiB total, 1261.883 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description: PCI Input Device
Device ID: PCI\VEN_1102&DEV_7002&SUBSYS_00201102&REV_07\4&5855BE9&0&21F0
Manufacturer:
Name: PCI Input Device
PNP Device ID: PCI\VEN_1102&DEV_7002&SUBSYS_00201102&REV_07\4&5855BE9&0&21F0
Service:
.
==== System Restore Points ===================
.
RP140: 23/05/2013 7:09:25 a.m. - Windows Update
RP141: 27/05/2013 10:30:16 a.m. - Windows Update
RP142: 31/05/2013 10:30:10 a.m. - Windows Update
RP143: 4/06/2013 10:30:07 a.m. - Windows Update
RP144: 7/06/2013 2:47:22 p.m. - Windows Update
RP145: 11/06/2013 2:17:19 p.m. - Windows Update
RP146: 13/06/2013 3:00:13 a.m. - Windows Update
RP147: 14/06/2013 11:33:18 a.m. - Installed PKZIP for Windows 14.00.0023.
RP148: 17/06/2013 1:52:22 a.m. - Windows Update
RP149: 20/06/2013 6:53:37 a.m. - Windows Update
RP150: 23/06/2013 12:03:23 p.m. - Windows Update
RP151: 27/06/2013 12:04:47 p.m. - Windows Update
RP152: 1/07/2013 3:51:32 a.m. - Windows Update
.
==== Installed Programs ======================
.
(remove only)
2007 New Zealand Master Tax Guide
7-Zip 9.22beta
Accent OFFICE Password Recovery 2.60
Adobe Flash Player 11 ActiveX
Agent Ransack 2010
Alerter
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Arcade! Classic Arcade Pack 3.7
Armagetron Advanced 0.2.8.3.2
ASAP Utilities
aTube Catcher
bd4 Version 4.10
BlitzPlus 1.47
Bonjour
BoulderDash 1.0
C64 Forever
Canon MF Toolbox 4.9.1.1.mf04
Canon MF4100 Series
CCS64 V3.9
Crystal Cave Christmass
Custom UI Editor for Microsoft Office
CutePDF Writer 3.0
Data Filter Tool version 1.5
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
DVDVideoSoftTB Toolbar
Excel Utilities 2.2
Excel VBA Code Cleaner 5.0
Excel VBA Code Documentor 5.0
EZDownloader
FastExcel 2.4
FolderBrowser
Foxit Reader
Free WebM Video Converter version 5.0.22.128
GameBase v1.3
GDash
GemWars For Windows
Google Chrome
Google Update Helper
HafĂ­k 1.1L
HamsterJam
HHD Software Free Hex Editor Neo 5.14
iLivid
iTunes
Java 7 Update 21
Java Auto Updater
JavaFX 2.1.1
K-Lite Codec Pack 9.1.0 (Full)
KBall Final - 16 December 2004
Lode Runner 1.0
Megaplex
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Filter Pack 2.0
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Morefunc
Mozilla Thunderbird 17.0.5 (x86 en-GB)
MPC-HC 1.6.2.4902
mtPaint 3.40
MYOB Accounting Plus v17
MZ-Tools 3.0 for VBA
NSIS BatMan (remove only)
PKZIP for Windows 14.00.0023
Project Paradroid
safe  soauvoe
SafeSaver 1.74
Safrosoft RoX 1.4
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
Security Update for Microsoft Excel 2010 (KB2597126) 32-Bit Edition
Security Update for Microsoft Filter Pack 2.0 (KB2553501) 32-Bit Edition
Security Update for Microsoft InfoPath 2010 (KB2687422) 32-Bit Edition
Security Update for Microsoft InfoPath 2010 (KB2760406) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553091)
Security Update for Microsoft Office 2010 (KB2553096)
Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553447) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687501) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687510) 32-Bit Edition
Security Update for Microsoft OneNote 2010 (KB2760600) 32-Bit Edition
Security Update for Microsoft Publisher 2010 (KB2553147) 32-Bit Edition
Security Update for Microsoft Visio 2010 (KB2810068) 32-Bit Edition
Security Update for Microsoft Visio Viewer 2010 (KB2687505) 32-Bit Edition
Security Update for Microsoft Word 2010 (KB2760410) 32-Bit Edition
Shareaza 2.6.0.0
Sheet Picker version 2.0
Software Director
streamCapture
Supaplex 3000
SWF Opener
TeraCopy 2.3 beta 2
The GameBase64 Collection v08
TrueCrypt
Tux Paint 0.9.21c
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553092)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553378) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition
Update for Microsoft Office 2010 (KB2687503) 32-Bit Edition
Update for Microsoft Office 2010 (KB2687509) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
Update for Microsoft Office 2010 (KB2767886) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2597090) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
Update for Microsoft PowerPoint 2010 (KB2598240) 32-Bit Edition
Update for Microsoft SharePoint Workspace 2010 (KB2589371) 32-Bit Edition
VDownloader 3.9.1360
Vodafone Mobile Connect
Winamp
Winamp Detector Plug-in
Windows Installer Clean Up
WinMerge 2.12.4
WinPcap 4.1.1
WinRAR archiver
WinZip 17.5
WinZip Command Line Support Add-On 4.0
XML Marker version 2.1
XY Chart Labeler 7.1
Yontoo 1.12.02
YouTube Batch Downloader
Zworx DL
.
==== Event Viewer Messages From Past Week ========
.
1/07/2013 5:14:56 p.m., Error: Schannel [36888]  - The following fatal alert was generated: 40. The internal error state is 107.
1/07/2013 5:14:56 p.m., Error: Schannel [36874]  - An SSL 3.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
.
==== End Of File ===========================



and:



DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 10.0.9200.16611  BrowserJavaVersion: 10.21.2
Run by Adults at 10:11:53 on 2013-07-02
Microsoft Windows 7 Professional   6.1.7601.1.1252.64.1033.18.3582.2125 [GMT 12:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Program Files\PKWARE\PKZIPM\14.00.0023\PKTray.exe
C:\Program Files\Common Files\Cloanto\Software Director\softdir.exe
C:\Program Files\WinZip\WZQKPICK32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\ConAppM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files\DsNET Corp\aTube Catcher 2.0\yct.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Foxit Software\Foxit Reader\Foxit Reader.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_7_700_224_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Security Client\MpCmdRun.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uURLSearchHooks: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - c:\program files\dvdvideosofttb\prxtbDVDV.dll
mURLSearchHooks: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - c:\program files\dvdvideosofttb\prxtbDVDV.dll
BHO: Shareaza Web Download Hook: {0EEDB912-C5FA-486F-8334-57288578C627} - c:\program files\shareaza\RazaWebHook32.dll
BHO: safe  soauvoe: {3BEC8B64-89E1-01F3-EC0B-C639B028F02E} - c:\programdata\safe  soauvoe\51ca22a0128f8.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - c:\program files\dvdvideosofttb\prxtbDVDV.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: Yontoo: {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - c:\program files\yontoo\YontooIEClient.dll
TB: DVDVideoSoftTB Toolbar: {872B5B88-9DB5-4310-BDD0-AC189557E5F5} - c:\program files\dvdvideosofttb\prxtbDVDV.dll
TB: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - c:\program files\dvdvideosofttb\prxtbDVDV.dll
uRun: [ISUSPM] "c:\programdata\macrovision\flexnet connect\6\ISUSPM.exe" -scheduler
uRun: [FreeYTVDownloader] c:\program files\dvdvideosoft\free youtube download\FreeYTVDownloader.exe
mRun: [MobileConnect] c:\program files\vodafone\vodafone mobile connect\bin\MobileConnect.exe /silent
mRun: [kX Mixer] c:\windows\system32\kxmixer.exe --startup
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [VDownloader] c:\program files\vdownloader\VDownloader.exe /silent
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Logitech Download Assistant] c:\windows\system32\rundll32.exe c:\windows\system32\LogiLDA.dll,LogiFetch
StartupFolder: c:\users\adults\appdata\roaming\micros~1\windows\startm~1\programs\startup\rbtray~1.lnk - g:\documents\moitah.net\rbtray\32bit\RBTray.exe
StartupFolder: c:\users\adults\appdata\roaming\micros~1\windows\startm~1\programs\startup\thunde~1.lnk - g:\portableapps\thunderbirdportable\ThunderbirdPortable.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\pkzipa~1.lnk - c:\program files\pkware\pkzipm\14.00.0023\PKTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\softwa~1.lnk - c:\program files\common files\cloanto\software director\softdir.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK32.EXE
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Download with &Shareaza - c:\program files\shareaza\RazaWebHook32.dll/3000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 10.1.1.1
TCP: Interfaces\{B0335482-9530-4BFE-9C39-4E6E79DFA6A8} : DHCPNameServer = 10.1.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
AppInit_DLLs= c:\progra~1\safesa~1\sprote~1.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\27.0.1453.116\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-1-20 195296]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 100328]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\vodafone\vodafone mobile connect\bin\VMCService.exe [2008-3-13 24576]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
R3 kxwdmdrv;kX WDM Driver Service;c:\windows\system32\drivers\kx.sys [2010-12-18 445512]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2013-1-27 295232]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2012-7-18 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2012-6-23 1343400]
.
=============== Created Last 30 ================
.
2013-07-01 00:47:03   7068072   ----a-w-   c:\programdata\microsoft\microsoft antimalware\definition updates\{246d1fb6-ad11-420c-9dff-66cc6675fd2e}\mpengine.dll
2013-06-30 15:52:56   7068072   ------w-   c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-06-26 01:55:29   --------   d-----w-   c:\users\adults\appdata\local\WinZip Courier
2013-06-26 01:54:51   --------   d-----w-   c:\programdata\WinZipEC
2013-06-26 01:54:46   --------   d-----w-   c:\users\adults\appdata\local\assembly
2013-06-25 22:18:53   --------   d-----w-   c:\users\adults\appdata\roaming\EZDownloader
2013-06-25 22:18:19   --------   d-----w-   c:\programdata\StarApp
2013-06-25 22:18:15   --------   d-----w-   c:\program files\SafeSaver
2013-06-25 22:18:00   --------   d-----w-   c:\programdata\safe  soauvoe
2013-06-25 22:17:29   --------   d-----w-   c:\windows\system32\X86
2013-06-25 22:17:29   --------   d-----w-   c:\windows\system32\AMD64
2013-06-25 22:17:29   --------   d-----w-   c:\program files\EZDownloader
2013-06-25 22:12:11   --------   d-----w-   c:\programdata\InstallMate
2013-06-22 14:37:53   724464   ------w-   c:\programdata\microsoft\microsoft antimalware\definition updates\{279c7317-8322-44f1-8537-919599f4ec2f}\gapaengine.dll
2013-06-14 01:50:19   --------   d-----w-   C:\ndn
2013-06-14 00:47:26   --------   d-----w-   c:\users\adults\appdata\local\WinZip
2013-06-13 23:35:26   --------   d-----w-   c:\users\adults\appdata\roaming\PKWARE
2013-06-13 23:35:26   --------   d-----w-   c:\programdata\PKWARE
2013-06-13 23:33:51   --------   d-----w-   c:\program files\common files\PKWARE
2013-06-13 23:33:49   --------   d-----w-   c:\program files\PKWARE
2013-06-12 22:01:25   --------   d-----w-   c:\windows\Alerter
2013-06-12 22:01:25   --------   d-----w-   c:\program files\Alerter
2013-06-12 15:03:50   2706432   ----a-w-   c:\windows\system32\mshtml.tlb
2013-06-12 15:03:49   218112   ----a-w-   c:\program files\internet explorer\sqmapi.dll
2013-06-12 11:47:22   1505280   ----a-w-   c:\windows\system32\d3d11.dll
2013-06-12 11:47:17   24576   ----a-w-   c:\windows\system32\cryptdlg.dll
2013-06-12 11:47:14   492544   ----a-w-   c:\windows\system32\win32spl.dll
2013-06-12 11:47:10   903168   ----a-w-   c:\windows\system32\certutil.exe
2013-06-12 11:47:10   43008   ----a-w-   c:\windows\system32\certenc.dll
2013-06-12 11:47:10   140288   ----a-w-   c:\windows\system32\cryptsvc.dll
2013-06-12 11:47:10   1160192   ----a-w-   c:\windows\system32\crypt32.dll
2013-06-12 11:47:10   103936   ----a-w-   c:\windows\system32\cryptnet.dll
2013-06-12 11:47:06   1230336   ----a-w-   c:\windows\system32\WindowsCodecs.dll
2013-06-12 11:47:05   3913576   ----a-w-   c:\windows\system32\ntoskrnl.exe
2013-06-12 11:47:04   3968872   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2013-06-12 11:47:03   1293672   ----a-w-   c:\windows\system32\drivers\tcpip.sys
2013-06-12 01:27:18   --------   d-----w-   c:\program files\pup7
2013-06-12 00:16:17   --------   d-----w-   c:\program files\AppsPro
2013-06-11 01:35:36   722739   ----a-w-   c:\windows\unins001.exe
2013-06-11 01:35:36   --------   d-----w-   c:\program files\Data Filter Tool
2013-06-10 23:47:21   --------   d-----w-   c:\users\adults\appdata\roaming\ASAP Utilities
2013-06-10 23:47:20   --------   d-----w-   c:\program files\ASAP Utilities
.
==================== Find3M  ====================
.
2013-06-12 18:27:02   692104   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2013-06-12 18:27:01   71048   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-17 01:25:57   1767936   ----a-w-   c:\windows\system32\wininet.dll
2013-05-17 01:25:27   2877440   ----a-w-   c:\windows\system32\jscript9.dll
2013-05-17 01:25:26   61440   ----a-w-   c:\windows\system32\iesetup.dll
2013-05-17 01:25:26   109056   ----a-w-   c:\windows\system32\iesysprep.dll
2013-05-14 08:40:13   71680   ----a-w-   c:\windows\system32\RegisterIEPKEYs.exe
2013-05-02 15:28:50   238872   ------w-   c:\windows\system32\MpSigStub.exe
2013-04-14 04:30:31   861088   ----a-w-   c:\windows\system32\npDeployJava1.dll
2013-04-14 04:30:31   782240   ----a-w-   c:\windows\system32\deployJava1.dll
2013-04-13 04:45:16   474624   ----a-w-   c:\windows\apppatch\AcSpecfc.dll
2013-04-13 04:45:15   2176512   ----a-w-   c:\windows\apppatch\AcGenral.dll
2013-04-12 13:45:29   1211752   ----a-w-   c:\windows\system32\drivers\ntfs.sys
2013-04-10 05:18:40   728424   ----a-w-   c:\windows\system32\drivers\dxgkrnl.sys
2013-04-10 05:18:40   218984   ----a-w-   c:\windows\system32\drivers\dxgmms1.sys
2013-04-10 03:14:06   2347520   ----a-w-   c:\windows\system32\win32k.sys
2013-04-03 17:35:08   94112   ----a-w-   c:\windows\system32\WindowsAccessBridge.dll
2010-01-25 21:11:08   444283   ----a-w-   c:\program files\common files\WinPcapNmap.exe
.
============= FINISH: 10:13:56.98 ===============
Title: Re: eggdepo.com, again
Post by: Corrine on July 02, 2013, 02:24:12 PM
Hi, jby.  Welcome to LandzDown Forum.

We will do our best to assist you.  However, in order to do so, please follow all instructions provided in the sequence given.  Do not install/re-install any programs or run any fixes or scanners that you have not been instructed to use.  This may cause conflicts with the tools being used in the cleanup process.   

If you have questions regarding any of the instructions or problems running any tools, please let us know.

1.  Thank you for the nice explanation of what happened.  Perhaps you didn't know, but with a Microsoft Account, you can use Microsoft Web Apps.   See my article Using Microsoft Office Web Apps (http://securitygarden.blogspot.com/2013/04/using-microsoft-office-web-apps.html) for additional information.

2.  A strong word of caution regarding Shareaza:  P2P programs form a direct conduit on to your computer. They have always been a target of malware writers and are increasingly so of late. P2P security measures are easily circumvented and if your P2P program is not configured correctly, you may be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program. 

With P2P file sharing, a file can be distributed among many hosts, and peers will provide for download the sections that they have already downloaded. This results in the distinct possibility of a distribution method in which malicious bits are mixed with with good files.  As a result, I strongly advise you to uninstall Shareaza.  Do not use it when downloading any programs I ask you to run.

3.  The version of Java on your computer needs to be updated ASAP.  Please get the latest version from here:  Java Version 7 Update 25 (http://java.com/en/download/index.jsp).  UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.

4.  Please follow these instructions carefully.

Download ComboFix from here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe).

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray. 

Note:  If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum:  How to disable your security applications (http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/490111-how-disable-your-security-applications.html).

Now, please run ComboFix:

Text only | Text with Images